U.S. patent application number 16/635262 was filed with the patent office on 2020-11-26 for random number generation system, random number generation method, and random number generation program.
This patent application is currently assigned to NEC Corporation. The applicant listed for this patent is NEC Corporation. Invention is credited to Kazuhiko MINEMATSU, Yuki TANAKA.
Application Number | 20200371751 16/635262 |
Document ID | / |
Family ID | 1000005049434 |
Filed Date | 2020-11-26 |
![](/patent/app/20200371751/US20200371751A1-20201126-D00000.png)
![](/patent/app/20200371751/US20200371751A1-20201126-D00001.png)
![](/patent/app/20200371751/US20200371751A1-20201126-D00002.png)
![](/patent/app/20200371751/US20200371751A1-20201126-D00003.png)
![](/patent/app/20200371751/US20200371751A1-20201126-D00004.png)
![](/patent/app/20200371751/US20200371751A1-20201126-D00005.png)
![](/patent/app/20200371751/US20200371751A1-20201126-D00006.png)
![](/patent/app/20200371751/US20200371751A1-20201126-D00007.png)
![](/patent/app/20200371751/US20200371751A1-20201126-M00001.png)
![](/patent/app/20200371751/US20200371751A1-20201126-M00002.png)
![](/patent/app/20200371751/US20200371751A1-20201126-M00003.png)
View All Diagrams
United States Patent
Application |
20200371751 |
Kind Code |
A1 |
TANAKA; Yuki ; et
al. |
November 26, 2020 |
RANDOM NUMBER GENERATION SYSTEM, RANDOM NUMBER GENERATION METHOD,
AND RANDOM NUMBER GENERATION PROGRAM
Abstract
A generation means 11 generates a uniform random number between
0 and a first probability, which is a probability of a stochastic
variable becoming a value within a predetermined interval in a
positive range in the first discrete distribution. When a uniform
random number less than or equal to a second probability is
generated, the second probability being a probability of the
stochastic variable becoming a value within a predetermined
interval in a second discrete distribution, which is a discrete
Gaussian distribution on a one-dimensional lattice the center of
which is the origin, the selection means 12 selects, as a random
number generation method, an accumulation method in which a
functional value defining the second discrete distribution is used.
When a uniform random number greater than the second probability is
generated, the selection means 12 selects a rejection sampling
method as the random number generation method.
Inventors: |
TANAKA; Yuki; (Tokyo,
JP) ; MINEMATSU; Kazuhiko; (Tokyo, JP) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
NEC Corporation |
Minato-ku, Tokyo |
|
JP |
|
|
Assignee: |
NEC Corporation
Minato-ku, Tokyo
JP
|
Family ID: |
1000005049434 |
Appl. No.: |
16/635262 |
Filed: |
August 7, 2017 |
PCT Filed: |
August 7, 2017 |
PCT NO: |
PCT/JP2017/028584 |
371 Date: |
January 30, 2020 |
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
G06F 7/58 20130101 |
International
Class: |
G06F 7/58 20060101
G06F007/58 |
Claims
1. A random number generation system that generates a random number
according to a first discrete distribution, which is a discrete
Gaussian distribution on a one-dimensional lattice the center of
which is a positive value, the random number generation system
comprising: a generation unit, implemented by a hardware including
one or more processors, which generates a uniform random number
between 0 and a first probability, which is a probability of a
stochastic variable becoming a value within a predetermined
interval in a positive range in the first discrete distribution;
and a selection unit, implemented by the hardware, when a uniform
random number less than or equal to a second probability is
generated, the second probability being a probability of the
stochastic variable becoming a value within a predetermined
interval in a second discrete distribution, which is a discrete
Gaussian distribution on a one-dimensional lattice the center of
which is the origin, selects, as a random number generation method,
an accumulation method in which a functional value defining the
second discrete distribution is used, when a uniform random number
greater than the second probability is generated, selects a
rejection sampling method as the random number generation
method.
2. The random number generation system according to claim 1,
further comprising an accumulation method generation unit,
implemented by the hardware, which generates a random number
according to the discrete Gaussian distribution on the
one-dimensional lattice by the accumulation method that uses the
functional value defining the second discrete distribution, wherein
the selection unit instructs the accumulation method generation
unit to generate a random number after the accumulation method is
selected, and the accumulation method generation unit generates a
random number in response to the instruction.
3. The random number generation system according to claim 2,
wherein the accumulation method generation unit includes a storage
unit, implemented by the hardware, which stores the functional
value defining the second discrete distribution.
4. The random number generation system according to claim 1,
further comprising a rejection sampling method generation unit,
implemented by the hardware, which generates a random number
according to the discrete Gaussian distribution on the
one-dimensional lattice by the rejection sampling method, wherein
the selection unit instructs the rejection sampling method
generation unit to generate a random number after the rejection
sampling method is selected, and the rejection sampling method
generation unit generates a random number in response to the
instruction.
5. A computer-implemented random number generation method to be
executed in a random number generation system that generates a
random number according to a first discrete distribution, which is
a discrete Gaussian distribution on a one-dimensional lattice the
center of which is a positive value, the random number generation
method comprising: generating a uniform random number between 0 and
a first probability, which is a probability of a stochastic
variable becoming a value within a predetermined interval in a
positive range in the first discrete distribution; when a uniform
random number less than or equal to a second probability is
generated, the second probability being a probability of the
stochastic variable becoming a value within a predetermined
interval in a second discrete distribution, which is a discrete
Gaussian distribution on a one-dimensional lattice the center of
which is the origin, selecting, as a random number generation
method, an accumulation method in which a functional value defining
the second discrete distribution is used; and when a uniform random
number greater than the second probability is generated, selecting
a rejection sampling method as the random number generation
method.
6. A non-transitory computer-readable capturing medium having
captured therein a random number generation program executed on a
computer that generates a random number according to a first
discrete distribution, which is a discrete Gaussian distribution on
a one-dimensional lattice the center of which is a positive value,
the random number generation program causing the computer to
execute: a generation process that generates a uniform random
number between 0 and a first probability, which is a probability of
a stochastic variable becoming a value within a predetermined
interval in a positive range in the first discrete distribution; a
first selection process that, when a uniform random number less
than or equal to a second probability is generated, the second
probability being a probability of the stochastic variable becoming
a value within a predetermined interval in a second discrete
distribution, which is a discrete Gaussian distribution on a
one-dimensional lattice the center of which is the origin, selects,
as a random number generation method, an accumulation method in
which a functional value defining the second discrete distribution
is used; and a second selection process that, when a uniform random
number greater than the second probability is generated, selects a
rejection sampling method as the random number generation
method.
7. The random number generation system according to claim 2,
further comprising a rejection sampling method generation unit,
implemented by the hardware, which generates a random number
according to the discrete Gaussian distribution on the
one-dimensional lattice by the rejection sampling method, wherein
the selection unit instructs the rejection sampling method
generation unit to generate a random number after the rejection
sampling method is selected, and the rejection sampling method
generation unit generates a random number in response to the
instruction.
8. The random number generation system according to claim 3,
further comprising a rejection sampling method generation unit,
implemented by the hardware, which generates a random number
according to the discrete Gaussian distribution on the
one-dimensional lattice by the rejection sampling method, wherein
the selection unit instructs the rejection sampling method
generation unit to generate a random number after the rejection
sampling method is selected, and the rejection sampling method
generation unit generates a random number in response to the
instruction.
Description
TECHNICAL FIELD
[0001] The present invention relates to a random number generation
system, a random number generation method, and a random number
generation program, and particularly relates to a random number
generation system, a random number generation method, and a random
number generation program that are used in lattice-based
cryptography and signature and generates a random number according
to discrete Gaussian distribution the center of which is not an
origin.
BACKGROUND ART
[0002] First, discrete Gaussian distribution will be defined. A
function defined by a real number s .di-elect cons. R (R is a
symbol representing a set of all real numbers) is defined as
follows.
[ Expression 1 ] .phi. s ( x ) := 1 s exp ( - .pi. s 2 x 2 )
Formula ( 1 ) ##EQU00001##
[0003] A distribution in which an integer value u .di-elect cons. Z
(Z is a symbol representing a set of whole integers) is output with
probability .phi..sub.s(u)/.SIGMA..sup..infin..sub.j=-.infin.
.phi..sub.s(j) is referred to as discrete Gaussian distribution
with a variance value s. As described in Non Patent Literature
(NPL) 1, a random number generated in accordance with the above
discrete Gaussian distribution is used for cryptography using a
lattice (hereinafter referred to as lattice-based cryptography).
Lattice-based cryptography is expected to be used as post-quantum
cryptography. Furthermore, lattice-based cryptography is a
cryptographic system that has been studied as a cryptographic
scheme with high computational efficiency and high
functionality.
[0004] The discrete Gaussian distribution is probability
distribution that can output all integer values. However, when the
random number generated in accordance with discrete Gaussian
distribution are used for lattice-based cryptography, limiting the
range of integer values output by the discrete Gaussian
distribution would often increase efficiency in the generation of
stochastic variables.
[0005] For example, limiting the range of integer values output by
discrete Gaussian distribution in such a way that it depends on a
security parameter n .di-elect cons. N (N is a symbol representing
a set of all natural numbers) would increase the efficiency in the
generation of stochastic variables.
[0006] That is, setting {k .di-elect cons.
Z|-rs.ltoreq.k.ltoreq.ts} as an output range of the discrete
Gaussian distribution with t=.OMEGA.(logn).sup.1/2 would increase
the efficiency in the generation of stochastic variables. Here,
.OMEGA. is a Landau symbol. It is generally known that limiting the
range of integers output by discrete Gaussian distribution as
described above would not affect the security of lattice-based
cryptography.
[0007] When the normalization constant W is defined as
W=.SIGMA..sup.ts.sub.i=-ts .phi..sub.s(i), the discrete Gaussian
distribution in which the range of output integers is limited as
described above is expressed as .psi..sub.s(x)=.phi..sub.s(x)/W.
When .psi..sub.s(x) is used, the integer value u .di-elect cons. Z
is output with probability .phi..sub.s(u).
[0008] Hereinafter, the "discrete Gaussian distribution" in this
specification will refer to probability distribution in which an
output integer range is {k .di-elect cons.
z|-ts.ltoreq.k.ltoreq.ts}, and an integer value u .di-elect cons. Z
is output with probability .psi..sub.s(u). Moreover, the function
.phi..sub.s(x)=.phi..sub.s(x)/W will be referred to as a function
that defines discrete Gaussian distribution.
[0009] Next, the center of the discrete Gaussian distribution will
be described. The discrete Gaussian distribution with the center c
and the variance value s is probability distribution that outputs
an integer value u with probability .psi..sub.s(u-c).
[0010] The above is a definition for discrete Gaussian distribution
on a one-dimensional lattice. Next, a definition for discrete
Gaussian distribution on an n-dimensional lattice will be
given.
[0011] A matrix in which vectors {b .sub.1.sup..fwdarw., . . . ,
b.sub.n.sup..fwdarw.} .di-elect cons. R.sup.n are arranged
horizontally is denoted as B.
[0012] An n-dimensional lattice A(B) using the matrix B is defined
as follows.
[ Expression 2 ] .LAMBDA. ( B ) := { i .di-elect cons. [ n ] c i b
_ i | c i .di-elect cons. Z } Formula ( 2 ) ##EQU00002##
[0013] The Gaussian function on IV whose center is c.sup..fwdarw.
is defined as follows using the parameter s.
[ Expression 3 ] for all x .fwdarw. .di-elect cons. R n , .rho. s ,
c .fwdarw. ( x .fwdarw. ) = exp ( - .pi. x .fwdarw. - c .fwdarw. 2
s 2 ) Formula ( 3 ) ##EQU00003##
[0014] The discrete Gaussian distribution on the n-dimensional
lattice A is defined as follows using the Gaussian function
expressed by the above Formula (3).
[ Expression 4 ] for all x .fwdarw. .di-elect cons. .LAMBDA. , D
.LAMBDA. , s , c .fwdarw. ( x .fwdarw. ) = .rho. s , c .fwdarw. ( x
.fwdarw. ) .rho. s , c .fwdarw. ( .LAMBDA. ) Formula ( 4 )
##EQU00004##
[0015] That is, the discrete Gaussian distribution on the
n-dimensional lattice is probability distribution in which the
stochastic variable follows the Formula (4). Hereinafter, for
simplicity, the discrete Gaussian distribution on the
one-dimensional lattice and the discrete Gaussian distribution on
the n-dimensional lattice will also be referred to as
one-dimensional discrete Gaussian distribution and an n-dimensional
discrete Gaussian distribution, respectively.
[0016] The above is the definition of one-dimensional discrete
Gaussian distribution and the definition of a multidimensional
(n-dimensional) discrete Gaussian distribution. Next, a sampling
method for generating a random number according to each of discrete
Gaussian distribution patterns will be described.
[0017] Typically, sampling methods as a method for generating a
random number according to one-dimensional discrete Gaussian
distribution include two methods, an accumulation method and a
rejection sampling method. Here, a function that defines
one-dimensional discrete Gaussian distribution is .phi.(x), and an
output range of the one-dimensional discrete Gaussian distribution
is {k .di-elect cons. Z|-ts.ltoreq.k.ltoreq.ts}.
[0018] The above two sampling methods will be described separately
for the case where a center of the one-dimensional discrete
Gaussian distribution is an origin and the case where a center of
the one-dimensional discrete Gaussian distribution is not the
origin.
[0019] First, a process of generating, using an accumulation
method, a random number according to one-dimensional discrete
Gaussian distribution the center of which is the origin will be
described on the basis of the description of NPL 2. FIG. 9 is a
block diagram showing an exemplary configuration of a conventional
random number generation system that generates a random number
according to one-dimensional discrete Gaussian distribution.
[0020] As shown in FIG. 9, a random number generation system 910
that generates a random number according to one-dimensional
discrete Gaussian distribution the center of which is the origin
includes a storage device 911, a searcher 912, and a uniform random
number generator 913.
[0021] The following describes operation of the conventional random
number generation system 910 including components as shown in FIG.
9 that generates a random number according to one-dimensional
discrete Gaussian distribution the center of which is the origin.
First, values of .phi.(0)/2, .phi.(1), .phi.(2), . . . , .phi.(ts)
are computed in advance and stored in the storage device 911.
Individual vertical lines in the storage device 911 shown in FIG. 9
represent individual values stored, such as .phi.(0)/2 or
.phi.(1).
[0022] Next, the uniform random number generator 913 outputs a real
value x .di-elect cons. [0,1]. The output x .di-elect cons. R is
input to the searcher 912. The searcher 912 to which x has been
input performs binary search for z .di-elect cons. Z that satisfies
.phi.(z-1).ltoreq.x<.phi.(z) from among the values stored in the
storage device 911.
[0023] Next, the searcher 912 uniformly selects a code sign=.+-..
Next, the searcher 912 outputs signz .di-elect cons. Z as a random
number according to one-dimensional discrete Gaussian distribution.
The above is a method, using the accumulation method, for
generating a random number according to one-dimensional discrete
Gaussian distribution with the origin at the center.
[0024] Note that the method for generating the random number
according to the one-dimensional discrete Gaussian distribution the
center of which is not the origin by the accumulation method, for
example, the center being at a, can be a method to replace .phi.(x)
with .phi.(x-a) in the method for generating the random number
according to the one-dimensional discrete Gaussian distribution the
center of which is the origin.
[0025] In the accumulation method, the number of pieces of data
stored in the storage device is proportional to ts. The data stored
in the storage device when using the one-dimensional discrete
Gaussian distribution the center of which is the origin would be
.phi.(0)/2, .phi.(1), .phi.(2), (ts). In contrast, the data when
using one-dimensional discrete Gaussian distribution the center of
which is a, rather than the origin, would be .phi.(0-a)/2,
.phi.(1-a), .phi.(2-a), . . . , .phi.(ts-a).
[0026] That is, the accumulation method has a problem that using
discrete Gaussian distribution having a large variance value s
would increase the amount of memory required to store the
functional values. In the existing lattice-based cryptography, the
variance value s takes a relatively large value.
[0027] As a specific amount of memory required for storing the
functional values, for example, the values shown in FIG. 10 are
described in NPL 4. FIG. 10 is an explanatory diagram showing an
example of the amount of memory consumed when the accumulation
method is used. As shown in FIG. 10, the larger the variance value,
the larger the amount of memory consumed.
[0028] The description of "q-type/1 signature" shown in the
"center" field of FIG. 10 indicates that the center of q=2.sup.K
will be prepared for one signature generation. Similarly, "2-type/1
signature" indicates that only two types of centers will be
prepared for one signature generation.
[0029] In addition, "Usage" shown in FIG. 10 represents an
application in which Gaussian distribution is used by individual
methods. For example, in the method "LWE-plane", Gaussian
distribution is used for the purpose of "key generation".
Furthermore, in the method "GPV" or the like, Gaussian distribution
is used for the purpose of "signature generation". When Gaussian
distribution is used in the "signature generation" application, the
Gaussian distribution is used many times.
[0030] In general, lattice-based cryptography such as RSA requires
a small amount of computation. Therefore, the lattice-based
cryptography is expected to be used in a device having a small
computing resource and a small storage capacity, such as a sensor
device or a mobile phone.
[0031] However, when the accumulation method is used for generation
of a random number according to the discrete Gaussian distribution,
which is a lattice-based cryptography subroutine, a large amount of
storage capacity would be used for storing data used in the
accumulation method. That is, there would be a problem of
difficulty using the lattice-based cryptography in a device having
a small storage capacity.
[0032] Next, the rejection sampling method will be described. The
rejection sampling method is a method used for generation of a
random number according to any discrete probability distribution,
not limited to the discrete Gaussian distribution.
[0033] First, a rejection sampling method for generating a random
number according to discrete probability distribution for a general
stochastic variable X will be described on the bases of description
of NPL 5. Thereafter, a rejection sampling method for generating a
random number according to one-dimensional discrete Gaussian
distribution will be described.
[0034] In order to generate a random number according to discrete
probability distribution p(X=x.sub.i) using the rejection sampling
method, a function t(x) that can be efficiently computed is
prepared, from among the functions t(x) that satisfy
t(x.sub.i).gtoreq.p(x.sub.i) for all x.sub.i values.
[0035] Next, a function r(x) in which t(x) is normalized is set as
r(x)=t(x)/.SIGMA.t(x.sub.i). Next, the following procedure is
executed to generate a random number according to the discrete
probability distribution p(X=x.sub.i) (probability distribution
function) for the stochastic variable X by using the rejection
sampling method.
[0036] (Step 1) Generating a random number Y according to the
probability distribution function r(x).
[0037] (Step 2) Generating a uniform random number U in an interval
[0,1] independently of Y.
[0038] (Step 3) When U.ltoreq.p(Y)/t(Y) is satisfied, the random
number X is set to X=Y. When U.ltoreq.p(Y)/t(Y) is not satisfied,
the process of (Step 1) will be performed again.
[0039] Note that 1/.epsilon., g, and fin Algorithm A.sub.1
described in NPL 5 are converted to 1, t, and p, respectively, in
the above procedure.
[0040] Next, a rejection sampling method for generating a random
number according to one-dimensional discrete Gaussian distribution
will be described on the basis of description of NPL 3. Note that
the method described in NPL 3 is a method in which the
above-described rejection sampling method is applied to a case
where the function t(x) is identically 1.
[0041] FIG. 11 shows an exemplary configuration of a device for
implementing the method described in NPL 3. FIG. 11 is a block
diagram showing another exemplary configuration of a conventional
random number generation system that generates a random number
according to one-dimensional discrete Gaussian distribution.
[0042] As shown in FIG. 11, a random number generation system 920
that generates a random number according to one-dimensional
discrete Gaussian distribution the center of which is the origin
includes a rejection determiner 921, a uniform random number
generator 922, and an output device 923.
[0043] The following describes operation of the conventional random
number generation system 920 including components as shown in FIG.
11 that generates a random number according to one-dimensional
discrete Gaussian distribution the center of which is the origin.
First, the uniform random number generator 922 generates a uniform
random number u.sub.1 .di-elect cons. Z in a range of {k .di-elect
cons. Z|-ta.ltoreq.k.ltoreq.rs}.
[0044] Next, the uniform random number generator 922 generates a
real-valued random number u.sub.2 .di-elect cons. R within a range
of [0, .phi.(0)]. The uniform random number generator 922 inputs
the generated u.sub.1 .di-elect cons. Z and u.sub.2 .di-elect cons.
R to the rejection determiner 921.
[0045] Next, rejection determiner 921 compares .phi.(u.sub.1) with
u.sub.2 .di-elect cons. R. When the comparison result is
u.sub.2.ltoreq..phi.(u.sub.1), the rejection determiner 921 inputs
u.sub.1 .di-elect cons. Z to the output device 923. The output
device 923 outputs u.sub.1 .di-elect cons. Z as a random number
according to one-dimensional discrete Gaussian distribution the
center of which is the origin.
[0046] When the comparison result is u.sub.2>.phi.(u.sub.1), the
random number generation system 920 returns to the first step and
executes the same operation again. The above is a method, using the
rejection sampling method, for generating a random number according
to one-dimensional discrete Gaussian distribution with the origin
at the center.
[0047] Note that the method for generating the random number
according to the one-dimensional discrete Gaussian distribution the
center of which is not the origin by the rejection sampling method,
for example, the center being at a, can be a method to replace
.phi.(x) with .phi.(x-a) in the method for generating the random
number according to the one-dimensional discrete Gaussian
distribution the center of which is the origin.
[0048] In the rejection sampling method, when the condition in the
process corresponding to the above (Step 3) is not satisfied, the
similar process will be repeatedly executed. That is, the rejection
sampling method is required to recompute a function that defines
the discrete Gaussian distribution every time the generated uniform
random number is rejected, leading to a problem of reduction in the
computation efficiency.
[0049] In summary, the accumulation method has an advantage that
the computation cost is low. On the other hand, the accumulation
method has a disadvantage that the memory cost is high. The
rejection sampling method has an advantage that the memory cost is
low. On the other hand, the rejection sampling method has a
disadvantage that the computation cost is high.
[0050] Next, a method for generating a random number according to
discrete Gaussian distribution on a multidimensional lattice will
be described on the basis of the description of NPL 3. The
following are those prepared before the explanation.
[0051] Each of Gram-Schmidt orthogonalized vectors
a.sub.1.sup..fwdarw., . . . , a.sub.n.sup..fwdarw. for vectors
a.sub.1.sup..fwdarw., . . . a.sub.n.sup..fwdarw. is set to a vector
computed as follows.
a .about. .fwdarw. 1 = a .fwdarw. 1 a .about. .fwdarw. 2 = a
.fwdarw. 2 - a .fwdarw. 2 , a .about. .fwdarw. 1 a .about. .fwdarw.
1 2 a .about. .fwdarw. 1 a .about. .fwdarw. 3 = a .fwdarw. 3 - a
.fwdarw. 3 , a .about. .fwdarw. 2 a .about. .fwdarw. 2 2 a .about.
.fwdarw. 2 - a .fwdarw. 3 , a .about. .fwdarw. 1 a .about. .fwdarw.
1 2 a .about. .fwdarw. 1 a .about. .fwdarw. n = a .fwdarw. n - i =
1 n - 1 a .fwdarw. n , a .about. .fwdarw. i a .about. .fwdarw. i 2
a .about. .fwdarw. i [ Expression 5 ] ##EQU00005##
[0052] In this specification, symbols "-", ".fwdarw.", ".about.",
etc., which are symbols used in the text should be described just
above the previous character. However, due to restrictions on the
text notation, these symbols will be written immediately after the
character as described above. In the formulas and drawings, these
symbols are written in their original positions.
[0053] FIG. 12 is an explanatory diagram showing an example of a
random number generation algorithm according to discrete Gaussian
distribution on a multidimensional lattice. In the loop of the
fourth to ninth lines of the algorithm shown in FIG. 12, a random
number z.sub.i is generated by one process, and c.sub.i-1 is
updated on the basis of the generated z.sub.i. In the next
processing, a random number z.sub.i-1 is generated after the
discrete Gaussian distribution is updated on the basis of the
updated c.sub.i-1. That is, a random number z.sub.n, . . . z.sub.1
are generated sequentially.
[0054] In the process on the seventh line of the algorithm shown in
FIG. 12, D.sub.z.sub.'i,.sigma.i represents one-dimensional
discrete Gaussian distribution having a center c'.sub.i and a
variance value .sigma..sub.1. Since c.sub.i-1 is updated in each of
processes that constitute the loop, generation of a random number
according to the one-dimensional discrete Gaussian distribution
with different centers is also required every time.
CITATION LIST
Non Patent Literature
[0055] NPL 1: Regev, "On lattices, learning with errors, random
linear codes, and cryptography," STOC 2005, ACM, 2005, pages
84-93.
[0056] NPL 2: Chris Peikert, "An efficient and parallel Gaussian
Sampler for lattices," CRYPTO, 2010, pages 80-97.
[0057] NPL 3: Craig Gentry, Chris Peikert, and Vinod
Vaikuntanathan, "How to Use a Short Basis: Trapdoors for Hard
Lattices and New Cryptographic Constructions," STOC, 2008, pages
197-206.
[0058] NPL 4: DWARAKANATH, N. C, GALBRAITH, S. D, "Sampling From
Discrete Gaussians for Lattice-Based Cryptography on a Constrained
Device," Appl. Algebra Engrg. Comm. Comput. 25, 2014, pages
159-180.
[0059] NPL 5: George Casella, Christian P. Robert, and Martin T.
Wells, "Generalized Accept-Reject sampling schemes," A Festschrift
for Herman Rubin Institute of Mathematical Statistics Lecture
Notes--Monograph Series Vol. 45, 2004, pages 342-347.
SUMMARY OF INVENTION
Technical Problem
[0060] In the case of generating a random number according to
discrete Gaussian distribution on a multidimensional
(n-dimensional) lattice, it is required to perform n times of
generation of a random number according to discrete Gaussian
distribution on a one-dimensional lattice with a center being not
necessarily at the origin. The above accumulation method and
rejection sampling method are used as a method of generating a
random number according to discrete Gaussian distribution on a
one-dimensional lattice with a center being not necessarily at the
origin.
[0061] A problem when generating a random number according to the
discrete Gaussian distribution on the multidimensional lattice
using the accumulation method and a problem when generating a
random number according to the discrete Gaussian distribution on
the multidimensional lattice using the rejection sampling method
will be described in this order.
[0062] In a case where a random number is generated in accordance
with the discrete Gaussian distribution on the multidimensional
lattice by using the accumulation method, a random number according
to the one-dimensional discrete Gaussian distribution is generated
by the number of dimensions of the lattice as an output target. In
addition, the accumulation method is required to store a new
numerical value in the storage device for every different center of
the one-dimensional discrete Gaussian distribution used for
generating a random number.
[0063] Therefore, when there is a substantial difference in each of
the centers of a plurality of one-dimensional discrete Gaussian
distributions used for generating a random number, a large amount
of memory would be consumed. That is, the accumulation method used
for generating a random number according to discrete Gaussian
distribution on a multidimensional lattice would not be an
efficient sampling method in terms of the amount of memory.
[0064] A problem when generating a random number according to the
discrete Gaussian distribution on a multidimensional lattice using
the rejection sampling method is that the generation speed of a
random number according to the one-dimensional discrete Gaussian
distribution is low. The reason is that, every time the generated
uniform random number is rejected, computation of a function that
defines discrete Gaussian distribution is required, lowering the
overall computation efficiency.
Object of the Invention
[0065] In view of the above, the present invention provides a
random number generation system, a random number generation method,
and a random number generation program, for solution of the
problems, that can further reduce the memory cost and the
computation cost for generating a random number according to
discrete Gaussian distribution on a multidimensional lattice.
Solution to Problem
[0066] A random number generation system according to the present
invention is a random number generation system that generates a
random number according to a first discrete distribution, which is
a discrete Gaussian distribution on a one-dimensional lattice the
center of which is a positive value, the random number generation
system including: a generation means which generates a uniform
random number between 0 and a first probability, which is a
probability of a stochastic variable becoming a value within a
predetermined interval in a positive range in the first discrete
distribution; and a selection means, when a uniform random number
less than or equal to a second probability is generated, the second
probability being a probability of the stochastic variable becoming
a value within a predetermined interval in a second discrete
distribution, which is a discrete Gaussian distribution on a
one-dimensional lattice the center of which is the origin, selects,
as a random number generation method, an accumulation method in
which a functional value defining the second discrete distribution
is used, when a uniform random number greater than the second
probability is generated, selects a rejection sampling method as
the random number generation method.
[0067] A random number generation method according to the present
invention is a random number generation method to be executed in a
random number generation system that generates a random number
according to a first discrete distribution, which is a discrete
Gaussian distribution on a one-dimensional lattice the center of
which is a positive value, the random number generation method
including: generating a uniform random number between 0 and a first
probability, which is a probability of a stochastic variable
becoming a value within a predetermined interval in a positive
range in the first discrete distribution; when a uniform random
number less than or equal to a second probability is generated, the
second probability being a probability of the stochastic variable
becoming a value within a predetermined interval in a second
discrete distribution, which is a discrete Gaussian distribution on
a one-dimensional lattice the center of which is the origin,
selecting, as a random number generation method, an accumulation
method in which a functional value defining the second discrete
distribution is used; and when a uniform random number greater than
the second probability is generated, selecting a rejection sampling
method as the random number generation method.
[0068] A random number generation program according to the present
invention is a random number generation program that is executed on
a computer that generates a random number according to a first
discrete distribution, which is a discrete Gaussian distribution on
a one-dimensional lattice the center of which is a positive value,
the random number generation program causing the computer to
execute: a generation process that generates a uniform random
number between 0 and a first probability, which is a probability of
a stochastic variable becoming a value within a predetermined
interval in a positive range in the first discrete distribution; a
first selection process that, when a uniform random number less
than or equal to a second probability is generated, the second
probability being a probability of the stochastic variable becoming
a value within a predetermined interval in a second discrete
distribution, which is a discrete Gaussian distribution on a
one-dimensional lattice the center of which is the origin, selects,
as a random number generation method, an accumulation method in
which a functional value defining the second discrete distribution
is used; and a second selection process that, when a uniform random
number greater than the second probability is generated, selects a
rejection sampling method as the random number generation
method.
Advantageous Effects of Invention
[0069] According to the present invention, it is possible to
further reduce the memory cost and the computation cost for
generating a random number according to discrete Gaussian
distribution on a multidimensional lattice.
BRIEF DESCRIPTION OF DRAWINGS
[0070] FIG. 1 is an explanatory diagram showing one-dimensional
discrete Gaussian distribution the center of which is an origin and
one-dimensional discrete Gaussian distribution the center of which
is not the origin.
[0071] FIG. 2 is an explanatory diagram showing a region to which
an accumulation method is applied and a region to which a rejection
sampling method is applied.
[0072] FIG. 3 is a block diagram showing an exemplary configuration
of a random number generation system according to a first exemplary
embodiment of the present invention.
[0073] FIG. 4 is a block diagram showing an exemplary configuration
of a generation method selection device 110 according to the first
exemplary embodiment.
[0074] FIG. 5 is a block diagram showing an exemplary configuration
of a rejection sampling device 120 according to the first exemplary
embodiment.
[0075] FIG. 6 is a block diagram showing an exemplary configuration
of an accumulation method sampling device 130 according to the
first exemplary embodiment.
[0076] FIG. 7 is a flowchart showing an operation of a random
number generation process performed by a random number generation
system 100 of the first exemplary embodiment.
[0077] FIG. 8 is a block diagram showing a summary of a random
number generation system according to the present invention.
[0078] FIG. 9 is a block diagram showing an exemplary configuration
of a conventional random number generation system that generates a
random number according to one-dimensional discrete Gaussian
distribution.
[0079] FIG. 10 is an explanatory diagram showing an example of the
amount of memory consumed when the accumulation method is used.
[0080] FIG. 11 is a block diagram showing another exemplary
configuration of a conventional random number generation system
that generates a random number according to one-dimensional
discrete Gaussian distribution.
[0081] FIG. 12 is an explanatory diagram showing an example of a
random number generation algorithm according to discrete Gaussian
distribution on a multidimensional lattice.
DESCRIPTION OF EMBODIMENTS
First Exemplary Embodiment
[0082] Hereinafter, exemplary embodiments of the present invention
will be described with reference to the drawings. In the present
exemplary embodiment, it is assumed that one-dimensional discrete
Gaussian distribution the center of which is the origin is
virtually converted into one-dimensional discrete Gaussian
distribution the center of which is not the origin by the following
method.
[0083] FIG. 1 is an explanatory diagram showing one-dimensional
discrete Gaussian distribution the center of which is the origin
and one-dimensional discrete Gaussian distribution the center of
which is not the origin. For simplification, FIG. 1 shows only a
positive range of an output range of the one-dimensional discrete
Gaussian distribution. As shown in FIG. 1, since the
one-dimensional discrete Gaussian distribution is a line-symmetric
distribution, it is sufficient as long as the positive range of the
output range is considered.
[0084] Referring to FIG. 1, it is observed that most of the
one-dimensional discrete Gaussian distribution with a center at a
rather than at the origin is included in the one-dimensional
discrete Gaussian distribution the center of which is the origin.
For example, probability .phi.(1) in a first interval shown in FIG.
1 (for convenience, the length of the horizontal axis is 1) covers
most of probability .phi.(1-a).
[0085] Similarly, probability .phi.(2) in a second interval shown
in FIG. 1 (for convenience, the length of the horizontal axis is 1)
covers most of probability.phi.(2-a). Hereinbelow, similar
characteristics can be observed in all intervals.
[0086] That is, the random number in the first interval according
to the one-dimensional discrete Gaussian distribution the center of
which is not the origin is considered to be a random number
according to the one-dimensional discrete Gaussian distribution the
center of which is the origin with the probability of
.phi.(1)/.phi.(1-a). The present exemplary embodiment utilizes the
above characteristic.
[0087] FIG. 2 is an explanatory diagram showing a region to which
an accumulation method is applied and a region to which a rejection
sampling method is applied. Probability P shown in FIG. 2 is a sum
of the probability .phi.(1-a), . . . , probability .phi. (ts-a).
That is, the probability P is probability that a random number is
output in accordance with one-dimensional discrete Gaussian
distribution the center of which is not the origin.
[0088] In addition, as shown in FIG. 2, probability p.sub.{1-dim}
is a sum of probability .phi.(1), . . . , probability .phi.(ts).
That is, the probability p.sub.{1-dim} is probability that a random
number is output in accordance with one-dimensional discrete
Gaussian distribution the center of which is the origin.
[0089] In a case where a uniform random number r taken in an
interval [0, P] is p.sub.{1-dim} or less, the random number
generation system according to the present exemplary embodiment
generates a random number according to the one-dimensional discrete
Gaussian distribution the center of which is not the origin by the
accumulation method using a value of the function .phi.(x) that
defines one-dimensional discrete Gaussian distribution the center
of which is the origin.
[0090] Furthermore, as shown in FIG. 2, probability p.sub.{rjc} is
a sum of probability {(.phi. (1-a)-.phi.(1)}, . . . , probability
{.phi.(ts-a)-.phi.(ts)}. That is, the probability p.sub.{rjc} is a
difference between the probability P that a random number is output
in accordance with one-dimensional discrete Gaussian distribution
the center of which is not the origin and the probability
p.sub.{1-dim} that a random number is output in accordance with
one-dimensional discrete Gaussian distribution the center of which
is the origin.
[0091] In a case where the uniform random number r taken in the
interval [0, P] is larger than p.sub.{1-dim}, the random number
generation system of the present exemplary embodiment generates, by
the rejection sampling method, the random number according to the
one-dimensional discrete Gaussian distribution the center of which
is not the origin.
[0092] Since the probability p.sub.{1-dim} is sufficiently larger
than the probability p.sub.{rjc}, the probability that a random
number will be generated by the rejection sampling method is low.
That is, since the chance of generating a random number by the
rejection sampling method is reduced, the overall computation cost
for generating a random number is reduced.
[0093] In addition, since the accumulation method always uses the
value of the function .phi.(x) that defines the one-dimensional
discrete Gaussian distribution the center of which is the origin,
it is sufficient as long as the value of the function .phi.(x) is
stored in the storage device. That is, the overall memory cost for
generating a random number will also be reduced.
[0094] The above has described the method of generating a random
number according to one-dimensional discrete Gaussian distribution
having the center shifted from the origin to the right. However, a
random number according to one-dimensional discrete Gaussian
distribution having the center shifted from the origin to the left
are generated in a similar manner. The random number generation
system according to the present exemplary embodiment virtually
converts the center of the discrete Gaussian distribution on the
one-dimensional lattice and thereby efficiently generates a random
number according to the discrete Gaussian distribution on the
multidimensional lattice.
Description of Configuration
[0095] FIG. 3 is a block diagram showing an exemplary configuration
of a random number generation system according to a first exemplary
embodiment of the present invention. As shown in FIG. 3, a random
number generation system 100 of the present exemplary embodiment
includes a generation method selection device 110, a rejection
sampling device 120, and an accumulation method sampling device
130.
[0096] FIG. 4 is a block diagram showing an exemplary configuration
of the generation method selection device 110 according to the
first exemplary embodiment. As shown in FIG. 4, the generation
method selection device 110 of the present exemplary embodiment
includes an interval uniform random number generation means 111 and
a generation method selection means 112.
[0097] The interval uniform random number generation means 111 has
a function of generating a uniform random number r in the interval
[0, P]. Furthermore, the generation method selection means 112 has
a function of selecting a random number generation method after
comparing the generated uniform random number r and the probability
p.sub.{1-dim}.
[0098] In a case where the uniform random number r is probability
p.sub.{1-dim} or less, the generation method selection means 112
selects the accumulation method as the random number generation
method. After the selection, the generation method selection means
112 instructs the accumulation method sampling device 130 to
generate a random number.
[0099] In addition, in a case where the uniform random number r is
larger than the probability p.sub.{1-dim}, the generation method
selection means 112 selects the rejection sampling method as the
random number generation method. After the selection, the
generation method selection means 112 instructs the rejection
sampling device 120 to generate a random number.
[0100] FIG. 5 is a block diagram showing an exemplary configuration
of the rejection sampling device 120 according to the first
exemplary embodiment. As shown in FIG. 5, the rejection sampling
device 120 of the present exemplary embodiment includes a uniform
random number generation means 121 and a rejection determination
means 122.
[0101] The function of the uniform random number generation means
121 is similar to the function of the uniform random number
generator 922. That is, the uniform random number generation means
121 generates a uniform random number u.sub.1.di-elect cons.Z
within a range of {k.di-elect
cons.Z|-(ts-a).ltoreq.k.ltoreq.(ts-a)}.
[0102] Next, the uniform random number generation means 121
generates a real-valued random number u.sub.2 .di-elect cons. R
within a range of [0, .phi.(-a)]. The uniform random number
generation means 121 inputs the generated u.sub.1 .di-elect cons. Z
and u.sub.2 .di-elect cons. R to the rejection determination means
122.
[0103] The function of rejection determination means 122 is similar
to the function of rejection determiner 921 and the function of
output device 923. That is, rejection determination means 122
compares .phi.(u.sub.1-a) and u.sub.2 .di-elect cons. R. When
u.sub.2.ltoreq..phi.(u.sub.1-a) is satisfied as a result of the
comparison, the rejection determination means 122 outputs u.sub.1
.di-elect cons.Z as a random number according to one-dimensional
discrete Gaussian distribution the center of which is not the
origin.
[0104] When u.sub.2>.phi. (u.sub.1-a) is satisfied as a result
of the comparison, the rejection determination means 122 returns to
the first step and executes the same operation again.
[0105] FIG. 6 is a block diagram showing an exemplary configuration
of the accumulation method sampling device 130 according to the
first exemplary embodiment. As shown in FIG. 6, the accumulation
method sampling device 130 of the present exemplary embodiment
includes a uniform random number generation means 131, a search
means 132, a storage means 133, and an output means 134.
[0106] The function of the uniform random number generation means
131 is similar to the function of the uniform random number
generator 913. That is, the uniform random number generation means
131 outputs a real value x .di-elect cons. [0,1].
[0107] Furthermore, the function of the search means 132 is similar
to the function of the searcher 912. That is, the search means 132
performs binary search for z .di-elect cons. Z that satisfies
.phi.(z-a-1).ltoreq.x<.phi.(z-a) from among the values stored in
the storage means 133.
[0108] Furthermore, the function of the storage means 133 is
similar to the function of the storage device 911. That is, the
storage means 133 stores the values of .phi.(0-a)/2, .phi.(1-a),
.phi.(2-a), . . . , .phi.(ts-a).
[0109] The output means 134 has a function of outputting the random
number searched by the search means 132 as a random number
according to one-dimensional discrete Gaussian distribution the
center of which is not the origin.
[0110] The random number generation system 100 of the present
exemplary embodiment is capable of generating a random number
according to the discrete Gaussian distribution on the
multidimensional lattice at a memory cost for generating a random
number according to one-dimensional discrete Gaussian distribution
by the accumulation method, and at a computation cost close to the
computation cost when each of the sampling processes is executed by
the accumulation method.
Description of Operation
[0111] Hereinafter, operation of the random number generation
system 100 according to the present exemplary embodiment to
generate a random number according to one-dimensional discrete
Gaussian distribution the center of which is not the origin will be
described with reference to FIG. 7. FIG. 7 is a flowchart showing
an operation of a random number generation process performed by the
random number generation system 100 of the first exemplary
embodiment.
[0112] First, the interval uniform random number generation means
111 generates a uniform random number r in the interval [0, P]
(step S101). The interval uniform random number generation means
111 inputs the generated uniform random number r to the generation
method selection means 112.
[0113] Next, the generation method selection means 112 determines
whether the input uniform random number r is larger than the
probability p.sub.{1-dim} (step S102).
[0114] In a case where the uniform random number r is larger than
the probability p.sub.{1-dim} (True in step S102), the generation
method selection means 112 selects the rejection sampling method as
a random number sampling processing method (step S103). Next, the
generation method selection means 112 instructs the rejection
sampling device 120 to generate a random number.
[0115] After instructed to generate a random number, the rejection
sampling device 120 generates a random number according to
one-dimensional discrete Gaussian distribution the center of which
is not the origin by the rejection sampling method (step S104).
After the generation, the rejection sampling device 120 outputs the
generated random number (step S105). After the output, the random
number generation system 100 finishes the random number generation
process.
[0116] In a case where the uniform random number r is the
probability p.sub.{1-dim} or less (False in step S102), the
generation method selection means 112 selects the accumulation
method as a random number sampling processing method (step S106).
Next, the generation method selection means 112 instructs the
accumulation method sampling device 130 to generate a random
number.
[0117] After instructed to generate a random number, the
accumulation method sampling device 130 generates a random number
according to one-dimensional discrete Gaussian distribution the
center of which is not the origin by the accumulation method (step
S107). The accumulation method sampling device 130 generates a
random number by the accumulation method that uses a functional
value defining one-dimensional discrete Gaussian distribution the
center of which is the origin.
[0118] After the generation, the accumulation method sampling
device 130 outputs the generated random number (step S108). After
the output, the random number generation system 100 finishes the
random number generation process. In a case where a random number
according to the discrete Gaussian distribution on the
n-dimensional lattice is generated, the random number generation
system 100 executes the random number generation process shown in
FIG. 7 n times.
Description of Effects
[0119] Since the value of the probability p.sub.{1-dim} is
sufficiently larger than the value of the probability p.sub.{rcj},
the generation method selection means 112 selects, in most cases,
the accumulation method that uses a functional value defining
one-dimensional discrete Gaussian distribution the center of which
is the origin, as the random number generation method. That is,
when the random number generation system 100 of the present
exemplary embodiment is used, the sampling process that is executed
every time a random number according to discrete Gaussian
distribution on a multidimensional lattice is generated, is
performed, with high probability, as the sampling process using the
accumulation method.
[0120] Therefore, the memory cost required for the entire random
number generation process by the random number generation system
100 will be reduced to a value of a degree substantially the same
as the memory cost required when the random number according to the
one-dimensional discrete Gaussian distribution the center of which
is the origin is generated by the accumulation method.
[0121] Furthermore, the computation cost required for the entire
random number generation process by the random number generation
system 100 is reduced to a value close to the computation cost
required when the sampling process executed every time is the
sampling process performed by the accumulation method.
[0122] Note that the random number generation system 100 of the
present exemplary embodiment may be implemented by a processor such
as a central processing unit (CPU) or a data processing device that
executes processing according to a program stored in a
non-transitory storage medium, for example. That is, the interval
uniform random number generation means 111, the generation method
selection means 112, the uniform random number generation means
121, the rejection determination means 122, the uniform random
number generation means 131, the search means 132, and the output
means 134 may be implemented by a CPU that executes processes in
accordance with a program control, for example.
[0123] The storage means 133 may be implemented by random access
memory (RAM), for example.
[0124] In addition, individual components in the random number
generation system 100 according to the present exemplary embodiment
may be implemented by a hardware circuit. As an example, the
interval uniform random number generation means 111, the generation
method selection means 112, the uniform random number generation
means 121, the rejection determination means 122, the uniform
random number generation means 131, the search means 132, the
storage means 133, and the output means 134 may be implemented by
individual large scale integration (LSI) devices. Alternatively,
they may be implemented by one LSI device.
[0125] Next, a summary of the present invention will be described.
FIG. 8 is a block diagram showing a summary of a random number
generation system according to the present invention. The random
number generation system 10 according to the present invention is a
random number generation system that generates a random number
according to a first discrete distribution, which is a discrete
Gaussian distribution on a one-dimensional lattice the center of
which is a positive value, the random number generation system 10
including: a generation means 11 (for example, the interval uniform
random number generation means 111) which generates a uniform
random number between 0 and a first probability, which is a
probability of a stochastic variable becoming a value within a
predetermined interval in a positive range in the first discrete
distribution; and a selection means 12 (for example, the generation
method selection means 112), when a uniform random number less than
or equal to a second probability is generated, the second
probability being a probability of the stochastic variable becoming
a value within a predetermined interval in a second discrete
distribution, which is a discrete Gaussian distribution on a
one-dimensional lattice the center of which is the origin, selects,
as a random number generation method, an accumulation method in
which a functional value defining the second discrete distribution
is used, when a uniform random number greater than the second
probability is generated, selects a rejection sampling method as
the random number generation method.
[0126] With such a configuration, the random number generation
system can further reduce the memory cost and computation cost for
generating a random number according to discrete Gaussian
distribution on a multidimensional lattice.
[0127] Furthermore, the random number generation system 10 may
include an accumulation method generation means (for example, the
accumulation method sampling device 130) which generates a random
number according to the discrete Gaussian distribution on the
one-dimensional lattice by the accumulation method that uses the
functional value defining the second discrete distribution, the
selection means 12 may instruct the accumulation method generation
means to generate a random number after the accumulation method is
selected, and the accumulation method generation means may generate
a random number in response to the instruction. Furthermore, the
accumulation method generation means may include a storage means
(for example, the storage means 133) which stores the functional
value defining the second discrete distribution.
[0128] With such a configuration, the random number generation
system can generate, by the accumulation method, a random number
according to discrete Gaussian distribution on a one-dimensional
lattice the center of which is not the origin.
[0129] Furthermore, the random number generation system 10 may
include a rejection sampling method generation means (for example,
the rejection sampling device 120) which generates a random number
according to the discrete Gaussian distribution on the
one-dimensional lattice by the rejection sampling method, the
selection means 12 may instruct the rejection sampling method
generation means to generate a random number after the rejection
sampling method is selected, and the rejection sampling method
generation means may generate a random number in response to the
instruction.
[0130] With such a configuration, the random number generation
system can generate, by the rejection sampling method, a random
number according to discrete Gaussian distribution on a
one-dimensional lattice the center of which is not the origin.
[0131] While the invention of the present application has been
described with reference to the exemplary embodiments and examples,
the invention of the present application is not limited to the
above exemplary embodiments and examples. Configuration and details
of the invention of the present application can be modified in
various manners understandable for those skilled in the art within
the scope of the invention of the present application.
[0132] The above exemplary embodiments may also be partially or
entirely described as the following appendices, although this is
not a limitation.
[0133] (Supplementary Note 1)
[0134] A random number generation system that generates a random
number according to a third discrete distribution, which is a
discrete Gaussian distribution on a one-dimensional lattice the
center of which is a negative value, the random number generation
system including: a generation means which generates a uniform
random number between 0 and a third probability, which is a
probability of a stochastic variable becoming a value within a
predetermined interval in a negative range in the third discrete
distribution; and a selection means, when a uniform random number
less than or equal to a fourth probability is generated, the fourth
probability being a probability of the stochastic variable becoming
a value within a predetermined interval in a fourth discrete
distribution, which is a discrete Gaussian distribution on a
one-dimensional lattice the center of which is the origin, selects,
as a random number generation method, an accumulation method in
which a functional value defining the fourth discrete distribution
is used, when a uniform random number greater than the fourth
probability is generated, selects a rejection sampling method as
the random number generation method.
[0135] (Supplementary Note 2)
[0136] The random number generation system according to
Supplementary note 1, further including an accumulation method
generation means which generates a random number according to the
discrete Gaussian distribution on the one-dimensional lattice by
the accumulation method that uses the functional value defining the
fourth discrete distribution, in which the selection means
instructs the accumulation method generation means to generate a
random number after the accumulation method is selected, and the
accumulation method generation means generates a random number in
response to the instruction.
[0137] (Supplementary Note 3)
[0138] The random number generation system according to
Supplementary note 2, in which the accumulation method generation
means includes a storage means which stores the functional value
defining the fourth discrete distribution.
[0139] (Supplementary Note 4)
[0140] The random number generation system according to any one of
Supplementary notes 1 to 3, further including a rejection sampling
method generation means which generates a random number according
to the discrete Gaussian distribution on the one-dimensional
lattice by the rejection sampling method, in which the selection
means instructs the rejection sampling method generation means to
generate a random number after the rejection sampling method is
selected, and the rejection sampling method generation means
generates a random number in response to the instruction.
[0141] (Supplementary Note 5)
[0142] A random number generation method to be executed in a random
number generation system that generates a random number according
to a third discrete distribution, which is a discrete Gaussian
distribution on a one-dimensional lattice the center of which is a
negative value, the random number generation method including:
generating a uniform random number between 0 and a third
probability, which is a probability of a stochastic variable
becoming a value within a predetermined interval in a negative
range in the third discrete distribution; when a uniform random
number less than or equal to a fourth probability is generated, the
fourth probability being a probability of the stochastic variable
becoming a value within a predetermined interval in a fourth
discrete distribution, which is a discrete Gaussian distribution on
a one-dimensional lattice the center of which is the origin,
selecting, as a random number generation method, an accumulation
method in which a functional value defining the fourth discrete
distribution is used; and when a uniform random number greater than
the fourth probability is generated, selecting a rejection sampling
method as the random number generation method.
[0143] (Supplementary Note 6)
[0144] A random number generation program executed on a computer
that generates a random number according to a third discrete
distribution, which is a discrete Gaussian distribution on a
one-dimensional lattice the center of which is a negative value,
the random number generation program causing the computer to
execute: a generation process that generates a uniform random
number between 0 and a third probability, which is a probability of
a stochastic variable becoming a value within a predetermined
interval in a negative range in the third discrete distribution; a
third selection process that, when a uniform random number less
than or equal to a fourth probability is generated, the fourth
probability being a probability of the stochastic variable becoming
a value within a predetermined interval in a fourth discrete
distribution, which is a discrete Gaussian distribution on a
one-dimensional lattice the center of which is the origin, selects,
as a random number generation method, an accumulation method in
which a functional value defining the fourth discrete distribution
is used; and a fourth selection process that, when a uniform random
number greater than the fourth probability is generated, selects a
rejection sampling method as the random number generation
method.
REFERENCE SIGNS LIST
[0145] 010, 100, 910, 920 Random number generation system [0146] 11
Generation means [0147] 12 Selection means [0148] 110 Generation
method selection device [0149] 111 Interval uniform random number
generation means [0150] 112 Generation method selection means
[0151] 120 Rejection sampling device [0152] 121, 131 Uniform random
number generation means [0153] 122 Rejection determination means
[0154] 130 Accumulation method sampling device [0155] 132 Search
means [0156] 133 Storage means [0157] 134 Output means [0158] 911
Storage device [0159] 912 Searcher [0160] 913, 922 Uniform random
number generator [0161] 921 Rejection determiner [0162] 923 Output
device
* * * * *